Skip to main content

SecurityV0 v0.2 - February 2026 Delivery Plan

Mission

Deliver a working product that proves SecurityV0's core value proposition: detecting orphaned autonomous identities with expanding authority in enterprise environments.

Target: Run against a design-partner's ServiceNow tenant and produce evidence that supports a paid pilot conversation.

What We're Building

Core Detection Capability (Phase 1)

DetectionWhat It ProvesBusiness Value
Automation ExistsAn Entra service principal is actively executing in ServiceNow"You have autonomous execution you may not know about"
Ownership DecayThe human who approved this automation is gone"No one is accountable for this execution anymore"
Scope DriftPermissions have expanded over time without re-approval"This automation can do more than originally intended"

Output: Evidence Pack

A sealed, timestamped document proving each finding with:

  • Identity details (what is executing)
  • Authority snapshot (what it can do)
  • Ownership timeline (who was responsible, when they left)
  • Drift history (how permissions changed)

Team Allocation

PersonFocus AreaFebruary Objective
IvanPlatform & DetectionBuild the detection engine and evidence generation
ViktorIntegration & ScenariosReal-world test cases, ServiceNow/Azure data extraction
SergeyProduct & PartnersDesign partner coordination, PRD validation, demo readiness

February Timeline

Week 1 (Feb 3-7)        Week 2 (Feb 10-14)      Week 3 (Feb 17-21)      Week 4 (Feb 24-28)
┌──────────────────┐    ┌──────────────────┐    ┌──────────────────┐    ┌──────────────────┐
│  REAL DATA       │    │  DETECTION       │    │  EVIDENCE &      │    │  DEMO READY      │
│  PIPELINE        │    │  ENGINE          │    │  TEST SCENARIOS  │    │                  │
│                  │    │                  │    │                  │    │                  │
│ • Connect        │    │ • Implement 3    │    │ • Evidence pack  │    │ • Findings UI    │
│   scanner to DB  │    │   detection      │    │   generation     │    │ • Graph view     │
│ • Real Azure/SN  │    │   rules          │    │ • 3+ test        │    │ • Deployable     │
│   data flowing   │    │ • Temporal       │    │   scenarios      │    │   package        │
│                  │    │   tracking       │    │ • Real examples  │    │ • Partner demo   │
└──────────────────┘    └──────────────────┘    └──────────────────┘    └──────────────────┘

Week 1: Real Data Pipeline

Goal

Get real Azure and ServiceNow data flowing into our system (not just mock data).

Ivan

  • Connect correlator scanner output to graph database
  • Enable entity versioning (track changes over time)
  • Set up test environment with real Azure/ServiceNow instance

Viktor

  • Deploy Azure Function test infrastructure
  • Configure ServiceNow OAuth integration
  • Verify we can pull real data from both systems

Success Criteria

  • Real Entra ID service principal data in database
  • Real ServiceNow OAuth app data in database
  • Changes tracked over time

Week 2: Detection Engine

Goal

Implement deterministic detection rules that fire on real data.

Detection Rules

1. Automation Detection

"This Entra service principal is configured to execute in ServiceNow and has done so recently"

Evidence needed:

  • Service principal metadata (ID, created date, credentials)
  • OAuth configuration linking SP to ServiceNow
  • Recent execution activity (API calls, ticket creation)

2. Ownership Decay

"The human owner of this automation no longer exists or is disabled"

Evidence needed:

  • Current owner status (deleted/disabled)
  • Original owner who set it up
  • Timeline: when ownership became invalid
  • Duration: how long it's been orphaned

3. Scope Drift

"This automation's permissions have expanded over time"

Evidence needed:

  • Timeline of role/permission changes
  • Each change was locally approved (no policy violation)
  • Current vs. original permission set

Ivan

  • Build detection rule framework
  • Implement all 3 rules
  • Ensure rules are deterministic (same input = same output)

Viktor

  • Extract ServiceNow role history with timestamps
  • Extract Entra ID owner change history
  • Feed temporal data to detection engine

Success Criteria

  • All 3 detections fire correctly on test data
  • Findings include full evidence chain
  • No false positives on clean data

Week 3: Evidence Packs & Test Scenarios

Goal

Generate exportable evidence and build compelling real-world scenarios.

Evidence Pack Contents

  1. Executive Summary - One-paragraph finding description
  2. Identity Profile - What is this automation, when created, by whom
  3. Authority Snapshot - Current permissions and reach
  4. Ownership Timeline - Visual history of ownership changes
  5. Drift Analysis - Permission changes over time
  6. Recommended Action - Re-assign owner, revoke permissions, or decommission

Test Scenarios to Build

Scenario 1: The Orphaned HR Bot (Current)

  • Azure Function monitors shared mailbox
  • Creates ServiceNow tickets for new hire onboarding
  • Original owner left 6 months ago
  • Permissions expanded to include HR case management

Scenario 2: The Forgotten Integration User

  • ServiceNow integration user created for Workday sync
  • Workday integration was decommissioned
  • User still exists with admin-equivalent roles
  • No execution in 18 months but full access remains

Scenario 3: The Inherited Service Principal

  • SP created by contractor for "temporary" integration
  • Contractor left, SP transferred to IT service account
  • IT service account has no human oversight
  • SP permissions grew through support tickets

Scenario 4: The Shadow Automation

  • Employee creates personal Azure automation
  • Uses org ServiceNow credentials
  • Employee changes roles, loses ServiceNow access personally
  • Automation continues with original credentials

Ivan

  • Build evidence pack generator
  • Create export formats (JSON, Markdown, PDF if time permits)
  • Ensure SHA256 integrity hashing

Viktor

  • Implement Scenario 2-4 test cases
  • Create realistic data for each scenario
  • Document detection expectations per scenario

Success Criteria

  • Evidence packs generated for all findings
  • At least 3 different scenarios working
  • Evidence readable by non-technical stakeholders

Week 4: Demo Ready

Goal

Deployable package with UI, ready for design partner demo.

UI Requirements

  1. Findings Dashboard

    • List of detected issues
    • Finding type indicators
    • Filter by type and date

  2. Graph Visualization

    • Shows: Identity → Owner → Role → Permission → Resource
    • Highlights orphaned owners (red)
    • Highlights drifted permissions (orange)
    • Click nodes for detail

  3. Evidence Viewer

    • View full evidence pack for any finding
    • Download as PDF/Markdown

Deployment Package

  • Single Docker Compose setup
  • Configure via environment variables (tenant credentials)
  • Works with any ServiceNow + Entra ID tenant

Ivan

  • Complete UI with real data binding
  • Docker deployment packaging
  • Setup and configuration documentation

Viktor

  • End-to-end testing on all scenarios
  • Document manual steps (if any)
  • Help with partner demo preparation

Sergey

  • Design partner scheduling
  • Demo script preparation
  • Feedback collection framework

Success Criteria

  • UI shows real findings with evidence
  • Graph visualization working
  • Deploys with docker-compose up
  • Ready for partner demo

Real-Life Examples We're Detecting

Example 1: HR Onboarding Automation

FINDING: Orphaned Automation with Scope Drift

Identity: sp-hr-onboarding (Azure Service Principal)
Status: ACTIVE - executing daily
Owner: sarah.chen@company.com (DELETED 180 days ago)

Original Authority (Day 0):
  • Create incidents
  • Read user profiles

Current Authority (Today):
  • Create incidents
  • Read user profiles
  • Close incidents ← Added Month 4
  • Reassign tasks ← Added Month 4
  • Access HR cases ← Added Month 8
  • Modify employee records ← Added Month 8

Drift Events:
  Month 4: +2 permissions (approved by sarah.chen)
  Month 6: sarah.chen account deleted
  Month 8: +2 permissions (approved by IT-ServiceDesk group)

Risk: Orphaned identity with HR data access, no human accountable

Example 2: Forgotten Integration

FINDING: Dormant Authority

Identity: svc_workday_sync (ServiceNow Integration User)
Status: NO EXECUTION in 547 days
Last Activity: 2024-08-15

Current Authority:
  • sys_admin role
  • hr_admin role
  • itil role

Original Purpose: Workday HR sync (decommissioned 2024-06)
Owner: workday-team@company.com (distribution list - no responses)

Risk: Full admin access, no execution, no owner, attack surface

Example 3: Permission Creep via Support Tickets

FINDING: Scope Drift

Identity: azure-reporting-sp (Azure Service Principal)
Owner: it-operations@company.com (active)

Permission Timeline:
  Jan 2025: Read-only report access (original)
  Mar 2025: +Write incident notes (INC0012345)
  May 2025: +Close incidents (INC0023456)
  Aug 2025: +Access CMDB (INC0034567)
  Nov 2025: +Modify CI records (INC0045678)
  Jan 2026: +Delete capabilities (INC0056789)

Pattern: Each expansion approved individually via support ticket
         No periodic review, no aggregate visibility

Risk: Incremental privilege accumulation, no holistic governance

Detection Mechanism Improvements

Current Detection (Correlator)

  • Scans Azure SPs and ServiceNow OAuth apps
  • Matches by client_id
  • Checks owner status

Enhanced Detection (v0.2)

1. Temporal Analysis

  • Track permission changes over time (not just current state)
  • Detect incremental expansion patterns
  • Identify "permission velocity" (how fast authority grows)

2. Cross-System Correlation

  • Link Azure SP owners → ServiceNow user status
  • Detect when Azure owner exists but ServiceNow identity orphaned
  • Map execution paths across both systems

3. Activity-Based Context

  • Distinguish active vs dormant automations
  • Weight findings by execution frequency
  • Flag "high-authority, low-activity" identities

4. Ownership Depth Analysis

  • Check primary owner, secondary owner, inherited ownership
  • "Orphaned" = ALL ownership levels decayed
  • "At-risk" = Primary decayed, secondary active

5. Blast Radius Calculation

  • What ServiceNow tables can this identity access?
  • What business domains (HR, Finance, IT) are reachable?
  • Execution paths: Identity → Role → Permission → Sensitive Data

Success Metrics

Technical

  • 3+ real-world scenarios implemented and detected
  • Detection accuracy: 100% precision (no false positives)
  • Evidence packs: complete, readable, exportable
  • Deployment: single command setup

Business

  • Design partner demo completed
  • Evidence pack quality: "audit-ready" feedback
  • Clear differentiation from ServiceNow native + Veza
  • Path to paid pilot defined

What We're NOT Building (v0.2)

  • ❌ Continuous monitoring (this is point-in-time scan)
  • ❌ Alerting/notifications
  • ❌ Remediation automation (read-only platform)
  • ❌ Full ServiceNow workflow introspection
  • ❌ Teams/chat integration
  • ❌ Multi-tenant self-service (single tenant per deployment)

Key Questions for Discussion

  1. Design Partner Timeline - When can we demo? Do we have a target date?

  2. Scenario Priority - Which of the 4 scenarios is most compelling for partners?

  3. Evidence Format - PDF required for v0.2, or is Markdown/JSON sufficient?

  4. Deployment Complexity - How technical are the people installing this?

  5. Competitive Positioning - What's our one-sentence differentiator vs Veza?